Iptables rules at boot

solaris_user · January 6, 2010, 3:54pm

Hi

I have small home network and I want to block some forums on web
When I use this

iptables -A INPUT -s forum -j DROP

rules is applied but when I restart some of PC rules are not present any more also I tried to save firewall settings

iptables-save > /root/dsl.fw

but how to apply rules automated , maybe some kind of script

I am not experienced with network security so I ask here

OS : Ubuntu x64 with last kernel

reborg · January 6, 2010, 6:47pm

Ubuntu has ufw UFW (Uncomplicated firewall) For Ubuntu Hardy which is probably the easiest way to do what you want. If you want to work the way you are currently doing things, then just to an iptables-load in an init script to load back in your iptables-save file.

TonyFullerMalv · January 6, 2010, 6:49pm

Use an rc script, e.g. called ip_tables_setup:

#!/bin/bash

# chkconfig: 2345 01 99

PATH=/sbin:/bin:/usr/bin

case "$1" in
  start|"")

MyIF=wlan0
MyIP=`ifconfig ${MyIF} | grep  inet | grep -v 127.0.0.1 | grep -v inet6 | grep addr | \
     awk '{ print $2 }' | awk -F":" '{ print $2 }'`

#-----------------------
# load modules
#-----------------------
/sbin/depmod -a
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp 

#-----------------------
# flush all chains
#-----------------------
iptables -F INPUT 
iptables -F FORWARD 
iptables -F OUTPUT 
iptables -F -t nat

#----------------------
# Default policies
#----------------------
iptables -A INPUT -s forum -j DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT 
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#iptables -A FORWARD -f -j ACCEPT

#---------------------------------
# All outgoing allowed
#---------------------------------
iptables -A OUTPUT -o $MyIF -s $MyIP -d 0/0 -j ACCEPT

#---------------------------------
# Established incoming allowed
#---------------------------------
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#---------------------------------
# SSH incoming allowed
#---------------------------------
# iptables -A INPUT -i $MyIF -p tcp --syn -s 0/0 -d $MyIP --dport 22 -j ACCEPT
;;
  restart|reload|force-reload)
	echo "Error: argument '$1' not supported" >&2
	exit 3
	;;
  stop)
	# No-op
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT 
	;;
  status)
	iptables --list
	;;
  *)
	echo "Usage: $0h [start|status|stop]" >&2
	exit 3
	;;
esac

:

Change wlan0 to the name of your interface.

Then run:

# chkconfig --add ip_tables_setup